5

I have recently started to maintain an online system. It is using JSF with PrimeFaces for the front end, with a Java backend. JSF is a new technology for me.

During the login process the whole user table (including clear text passwords (will soon be fixed)) are loaded into a HttpSession attribute, and referenced in other parts of the system. The system has less than 50 users, so the size of data is not a big concern to me.

The fact that all the user data are riding in the session is however a concern.

Do I worry needlessly, or is there a way to gain access to this information via a client side exploit? Is there any other reasons I can put on my manager's table as justification for a urgent rewrite of this mechanism?

Abbreviated code below:

login.xhtml

<p:inputText id="username" value="#{userBean.userName}" name="username"></p:inputText>
<p:password id="password" value="#{userBean.password}"></p:password>
<p:commandButton id="loginSubmit" value="Login" action="#{userBean.auth}"></p:commandButton>

UserBean.java

@ManagedBean(name = "userBean")
@SessionScoped
public class UserBean {
    public String auth() {
        // ...
        FacesContext fctx = FacesContext.getCurrentInstance();
        HttpSession session = (HttpSession) fctx.getExternalContext().getSession(true);
        HashMap<Long, UserDetail> usersMap = dbBean.getAllUserDetails();
        session.setAttribute("usersMap", usersMap);
        // ...
    }
}
Aritz
  • 30,971
  • 16
  • 136
  • 217
ufis
  • 176
  • 1
  • 11
  • 3
    The HttpSession is stored at server side and shouldn't be visible to any end user, unless he has access to the server. But there's no real need to keep the password in the session. That's just a bad design. The password has to be in Server memory only the amount of time is necessary for authentication. – Aritz Mar 25 '14 at 14:56
  • Agree. If someone can exploit the application and run code in server context, it makes no difference if user table is in session or not, exploiter gains access to managed beans as well and can then access database. It is only poor design, but not a security hole on its own. – Michele Mariotti Mar 25 '14 at 22:17

1 Answers1

3

Although comments answered your question, let's sum it up :

  • Session is stored on server-side, no client hack could access these data unless it exploits security flaws from JSF implemenation, which is quite rare
  • If hackers is able to hack server components, he will surely gain access to user data from db, whenever it's not stored in user session
  • Your concerns are understandable, but you should focus on user code flaws or know library flaws rather than application design
Benjamin Caure
  • 2,090
  • 20
  • 27